I have just finished having an interesting chat with a friend who works in Asia. We discussed how disrupted the world is – and how, in his space, that involves businesses operating for part of the day, with ‘workarounds that recognize your backup generator is not going to get a steady fuel supply etc. It led me to reflect on the following question:
How strong is the move from traditional Business Continuity and RTOs to a focus on Operational Resilience and Impact Tolerance?
Where the shift is strongest
- UK financial services: FCA/PRA rules require firms to identify Important Business Services (IBS) and set/validate impact tolerances, making them board‑approved, audited metrics rather than optional add‑ons.[2][4][5][6]
- Global large financial institutions and market infrastructures: firms now treat operational resilience as a distinct programme, not “BCM 2.0”, with service‑level testing against impact tolerances.[4][7][8][1]
- Tech and cyber‑exposed organizations: newer “ResOps” approaches explicitly map IT assets to critical services and continuously monitor performance against impact tolerances, moving beyond static RTO documentation.[7][9][1]
Focus difference table
[3][6][10][11][1][2][7]
How impact tolerance changes the conversation
- RTOs are still used, but as subordinate levers; RTOs are typically set inside the impact tolerance window so that, even after recovery, there is time to clear backlogs and avoid breaching harm thresholds.[6][10][11][1][7]
- Impact tolerance reframes the question from “How fast can I recover this function?” to “How much disruption to this service, for whom, over what period, is just tolerable?” and forces explicit articulation of customer and systemic harm.[1][2][3][6][7]
- This in turn drives more emphasis on end‑to‑end mapping, third‑party dependencies, and “severe but plausible” scenario testing, which are less prominent in traditional RTO‑centric BCM.[9][2][3][4][1]
Where the shift is weaker or more nominal
- Outside regulated finance (e.g. many corporates, public sector), impact tolerance is often adopted as language or a maturity aspiration, while day‑to‑day planning and exercises still revolve around process‑level RTOs and recovery playbooks.[12][2][3][9]
- Even in financial services, some organizations struggle to operationalize tolerances, defaulting to relabelled RTOs rather than genuinely service‑level, harm‑based thresholds with monitoring and board challenge.[13][4][7][1]
Practical implication for your practice
- For regulated clients, the centre of gravity has clearly moved to impact‑tolerance‑led, service‑centric resilience, with BCM and RTOs nested inside.[2][3][4][7][1]
- For others, a hybrid approach is resonating: retain familiar RTOs and BIA, but re‑frame critical outputs as “important services” and translate RTOs into explicit tolerances for customer/ stakeholder harm to build a bridge toward full operational resilience.[8][10][11][7][2]
Our Resilience Review Packages have been third party assessed with the following strengths recognized:
Sources
[1] Operational Resilience vs Business Continuity: The Regulatory Shift … https://risktemplate.com/blog/2026-04-06-operational-resilience-vs-business-continuity-regulatory-shift/
[2] Impact tolerance in operational resilience: A guide for businesses https://www.everbridge.com/blog/impact-tolerance-in-operational-resilience/
[3] [OR] [Vs] Operational Resilience Versus Business Continuity … https://blog.bcm-institute.org/operational-resilience/or-vs-operational-resilience-versus-business-continuity-management
[4] Operational Resilience vs Business Continuity: A Comparison | Blog https://corporater.com/blog/operational-resilience-vs-business-continuity-a-comparison/
[5] [PDF] Guidance for Firm Operational Resilience https://www.cmorg.org.uk/sites/default/files/2025-04/CMORG%20-%20Guidance%20for%20Firm%20Operational%20Resilience%20v3%20-%20April%202025%20-%20TLP%20Clear.pdf
[6] [PDF] Impact Tolerances: Appetite for Disruption https://www.theia.org/sites/default/files/2021-05/Impact%20Tolerances%20-%20Appetite%20for%20Disruption%20May21.pdf
[7] Impact Tolerance Metrics and Operational Resilience : A Perspective https://sunandoroy.org/2025/10/28/impact-tolerance-metrics-and-operational-resilience-a-perspective/
[8] Evolving from Business Continuity to Full Operational Resilience https://www.dtcc.com/dtcc-connection/articles/2021/april/15/evolving-from-business-continuity-to-full-operational-resilience
[9] Operational Resilience Frameworks and Best Practices – Commvault https://www.commvault.com/explore/operational-resilience
[10] Impact Tolerance Vs Recovery Time Objective – BCM Institute Blog https://blog.bcm-institute.org/operational-resilience/impact-tolerance-and-recovery-time-objective
[11] Operational Resilience Update – Impact Tolerances – ISC https://iscltd.com/operational-resilience-update-impact-tolerances/
[12] RTO vs. RPO: What’s the Difference and How are They Used? https://riskonnect.com/business-continuity-resilience/rto-rpo-differences-and-uses/
[13] How are you determining your impact tolerances? – WTW https://www.wtwco.com/en-my/insights/2025/09/operational-resilience-how-are-you-determining-your-impact-tolerances
[14] Operational Resilience Series #3: Designing your impact tolerances https://www.protechtgroup.com/en-au/blog/operational-resilience-series-3-designing-your-impact-tolerances
[15] How to set RTO and RPO for business continuity – LinkedIn https://www.linkedin.com/posts/konkrit-solutions-ltd_when-a-disruption-happens-two-questions-activity-7353749543072464896-hI4Y
John Salter Consulting Services 